How many lines of code is the encryption part of rclone?

marc123 · July 17, 2021, 7:55pm

I am looking at rclone-master directory downloaded from GitHub

The whole directory contains 450k lines of code, which is HUGE.

I suspect most of this is for parts not related to encryption. To determine the attack surface and security level of of the crypt backend, I looked at directory backend/crypt which contains 3.8k lines of code, which is more reasonable compared to 450k LoC.

However, it’s hard to find total number of lines of code involved with encrypting a repository using rclone, due to dependencies between various parts, and the fact that Go crypto libraries providing SecretBox and AES (for file names) should be counted as well.

Could rclone’s developers chime in about the attack surface and security of the encrypting data with rclone?
Is encryption part separated from the rest of the 450k LoC source mess?
How does rclone crypt security compare to that of alternatives such as Cryptomator (which is 40k LoC, 10X less than rclone size, but whose encryption part has also around 4K)?
Has rclone been audited (it’s a giant project and expensive to audit with 450k LoC)

asdffdsa · July 17, 2021, 9:29pm

hi,

this has been discussed in the forum.
in what specific way did those posts not answer your questions?

marc123 · July 17, 2021, 11:54pm

The answer to the question in title can’t be found:

if I encrypt topsecret.pdf in a local crypt, how many lines of code do I have to trust?

Would be good to compare with some benchmarks too.

asdffdsa · July 18, 2021, 12:00am

please count and let us know....

please compare and let us know....

marc123 · July 18, 2021, 12:05am

But you said the answer can be found in numerous posts in this forum!

It requires some input from developers, due to factors stated in my post, that are hard for me to determine (I probably need a full review of 450k LoC, that is impractical).

asdffdsa · July 18, 2021, 12:17am

i wrote that your concerns have been discussed, not answered.

Animosity022 · July 18, 2021, 4:51am

Best place to get some information is here:

https://rclone.org/crypt/

marc123 · July 18, 2021, 7:40pm

Here is some data.

Rclone part:

— directory for each backend is around 3k LoC. Crypt and remote/local backends needed for encryption add up to 6k LoC.

— relevant functions in fs, cmd etc directories: around 5k

NACL package from Go crypto library:

— NACL directory 1.2k

— Salsa20 directory 1.7k

— scrypt directory: 400

Overal, these can add up to 15k LoC, requied in the security-critical part of crypt backend.

However, each file calls other files and more LoC is surely involved.

It’s hard to determine the exact number of LoC needed for encryption, unless using a software utility.